API Documentation
Everything you need to integrate: authentication, endpoints, schemas, SDKs, error codes, and webhooks.
Authentication
All Travix Lab API endpoints require authentication via a Bearer token. Include your API key in theAuthorization header on every request. Never expose your API key in client-side code or version control.
# Include on every request:
Authorization: Bearer YOUR_API_KEY
# Example with curl:
curl -X POST https://api.travixlab.com/v1/flights/search \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "origin": "DXB", "destination": "LHR", "date": "2026-09-01" }'OAuth 2.0 also supported: For server-to-server integrations requiring short-lived access tokens, use the client credentials flow at POST /oauth/token. Contact us for OAuth client credentials.
Base URLs
Two environments are available — sandbox for testing and development, production for live traffic. All endpoints are identical between environments; only the base URL changes.
https://sandbox.api.travixlab.com/v1https://api.travixlab.com/v1Sandbox Environment
The sandbox is a full-featured test environment with realistic mock inventory. You can complete end-to-end booking flows — search, price, book, issue, cancel — without real charges or supplier calls. Sandbox credentials are provisioned within one business day of signup.
- Flights: 1,000+ mock itineraries with real fare logic and seat maps
- Hotels: 500+ mock properties with availability, rates, and room types
- eSIM: All country plans available with mock activation flow
- Payments: Use test card 4242 4242 4242 4242 for successful transactions
- Webhooks: Events fire in real time against sandbox bookings
- No rate limits in sandbox — test at full throughput
Rate Limits
Rate limits apply per API key. When exceeded, the API returns HTTP 429 with aRetry-After header indicating when to retry.
| Plan | Requests / sec | Burst | Monthly quota |
|---|---|---|---|
| Sandbox | Unlimited | — | No limit |
| Starter | 30 req/s | 100 req/s (10s) | 5M requests |
| Growth | 100 req/s | 300 req/s (10s) | 50M requests |
| Enterprise | Custom | Custom | Unlimited |
Error Codes
All errors follow a consistent JSON schema with code,message, and optionaldetails array for field-level validation errors.
{
"error": {
"code": "VALIDATION_ERROR",
"message": "Invalid request parameters",
"details": [
{ "field": "date", "issue": "Must be a future date (YYYY-MM-DD)" },
{ "field": "passengers.adults", "issue": "Must be between 1 and 9" }
]
}
}| Status | Name | Meaning |
|---|---|---|
| 400 | Bad Request | Invalid parameters or malformed request body |
| 401 | Unauthorized | Missing or invalid API key |
| 403 | Forbidden | API key doesn't have access to this endpoint |
| 404 | Not Found | Resource (booking, PNR, hotel) not found |
| 409 | Conflict | Booking conflict — seat or room no longer available |
| 422 | Unprocessable Entity | Validation error — check error.details for field errors |
| 429 | Rate Limited | Too many requests — see Retry-After header |
| 500 | Internal Server Error | Server-side error — safe to retry with Idempotency-Key |
| 503 | Service Unavailable | Upstream supplier unavailable — retry after delay |
Official SDKs
Official SDKs are available in 6 languages. All SDKs are auto-generated from our OpenAPI spec, maintained by Travix Lab engineers, and updated in lockstep with API changes.
npm install @travixlab/sdkpip install travixlabcomposer require travixlab/sdkcom.travixlab:travixlab-sdk:latestdotnet add package Travixlab.SDKgo get github.com/travixlab/go-sdkWebhooks
Webhooks deliver real-time event notifications to your server. Each webhook payload is signed with HMAC-SHA256 using your webhook secret. Verify the signature before processing to prevent spoofed events.
// Node.js: Verify webhook signature
const crypto = require('crypto');
function verifyWebhook(payload, signature, secret) {
const hmac = crypto.createHmac('sha256', secret);
hmac.update(payload);
const expected = 'sha256=' + hmac.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signature)
);
}| Event | Description |
|---|---|
| booking.confirmed | A booking has been successfully confirmed with the supplier |
| booking.failed | Booking attempt failed — check error details for reason |
| ticket.issued | E-ticket or voucher has been generated and dispatched |
| booking.cancelled | Booking cancelled — refund details included if applicable |
| pnr.modified | PNR has been modified (seat change, passenger update, etc.) |
| payment.captured | Payment successfully captured from card or wallet |
| payment.refunded | Refund processed — amount and timeline included |
| esim.activated | eSIM QR code scanned and plan activated by traveller |
Idempotency
For write operations (booking, payment, cancellation), send anIdempotency-Keyheader. If your request fails before receiving a response, retry with the same key — the server will return the original response rather than creating a duplicate booking.
POST /v1/bookings
Authorization: Bearer YOUR_API_KEY
Idempotency-Key: 7f9c3b1a-2e4d-4f8a-9b6e-1c3d5e7f9a2b
Content-Type: application/jsonVersioning
Travix Lab APIs use semantic versioning. The current stable version is v1. Breaking changes are always introduced in a new major version (v2, v3). Your existing integration is never silently broken — we provide 90+ days notice before deprecating any version. Non-breaking additions (new optional fields, new endpoints) are added to existing versions without notice.
Need full API reference for a specific product?
Each API has its own detailed reference page with endpoint specs, request/response schemas, and live examples.
Ready to start building?
Request sandbox access and make your first API call in under 30 minutes.